By: Jordan Hollinger user 08 Jan 2016 at 2 p.m. CST

6 Responses
Jordan Hollinger gravatar
I'm reading through [http://www.gluu.org/docs/admin-guide/SCIM/](http://www.gluu.org/docs/admin-guide/SCIM/) and [http://www.gluu.org/docs/admin-guide/uma/](http://www.gluu.org/docs/admin-guide/uma/), but I'm having trouble piecing it all together. [http://www.gluu.org/docs/admin-guide/SCIM/#access-management](http://www.gluu.org/docs/admin-guide/SCIM/#access-management) says I need a Bearer Token for SCIM API calls. Makes sense. But then it says: > How do you get one of these bearer tokens? You'll need to read up on the UMA protocol. Basically, the first time you call the SCIM API, oxTrust will return both a 403 error code, and permission ticket. Your UMA client will have to present this permission ticket to the oxAuth UMA Authorization API endpoints (the rpt_endpoint) to obtain a valid token. So I sent a ```GET https://<hostname>/identity/seam/resource/restv1/scim/v1/Users/``` and got back a 403 as expected. But I don't see anything that looks like a permission ticket for UMA: ``` HTTP/1.1 403 Forbidden Server: nginx Date: Fri, 08 Jan 2016 19:51:50 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: JSESSIONID=F0F2D55CD0DDA309BF84AD800785B35E; Path=/identity/; Secure; HttpOnly;HttpOnly {"errors":[{"description":"User isn't authorized","code":403,"uri":""}]}[consolo@thehatch consolo]$ ``` Is there something else I need to be sending along with that request so that it knows to send back a permission ticket? Or is that info outdated, and I need to call a bunch of OpenID or UMA APIs to get a token instead?

By Michael Schwartz Account Admin 08 Jan 2016 at 2:48 p.m. CST

Michael Schwartz gravatar
I asked Shekhar to comment on this issue.

By Jordan Hollinger user 12 Jan 2016 at 10:01 a.m. CST

Jordan Hollinger gravatar
I've been reading through the UMA docs more, and yes it seems like [I should be expecting some kind of ticket back](https://docs.kantarainitiative.org/uma/draft-uma-core.html#rfc.section.3.1.1). So either Gluu has a bug, or I'm missing some Gluu configuration option to enable this behavior. I've got kind of a hard deadline on this, so any help would be appreciated. Thanks!

By Jordan Hollinger user 12 Jan 2016 at 10:07 a.m. CST

Jordan Hollinger gravatar
BTW this is a fresh install of Gluu 2.4.0 on Ubuntu.

By Yuriy Movchan staff 26 Jan 2016 at 11:56 a.m. CST

Yuriy Movchan gravatar
Did you enable SCIM in oxTrust GUI? We disabled SCIM endpoints by default. Also, please check/attach to ticket oxtrust/oxauth logs after attempt to access SCIM.

By William Lowe user 27 Jan 2016 at 4:13 p.m. CST

William Lowe gravatar
How's it coming along Jordan? Let us know if / how we can be of assistance. Thanks, Will

By Jonas Daugaard user 30 Jun 2016 at 4:20 a.m. CDT

Jonas Daugaard gravatar
We have the same issue/question. How to authenticate the JSON API calls?